summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--paramiko/ecdsakey.py2
-rw-r--r--paramiko/proxy.py4
-rw-r--r--paramiko/transport.py27
-rw-r--r--sites/www/changelog.rst14
4 files changed, 31 insertions, 16 deletions
diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py
index d435603d..e4f74310 100644
--- a/paramiko/ecdsakey.py
+++ b/paramiko/ecdsakey.py
@@ -258,7 +258,7 @@ class ECDSAKey(PKey):
key = serialization.load_der_private_key(
data, password=None, backend=default_backend()
)
- except ValueError as e:
+ except (ValueError, AssertionError) as e:
raise SSHException(str(e))
self.signing_key = key
diff --git a/paramiko/proxy.py b/paramiko/proxy.py
index d3ae436f..059ba83e 100644
--- a/paramiko/proxy.py
+++ b/paramiko/proxy.py
@@ -21,7 +21,6 @@ from datetime import datetime
import os
from shlex import split as shlsplit
import signal
-from subprocess import Popen, PIPE
from select import select
import socket
import time
@@ -49,6 +48,9 @@ class ProxyCommand(ClosingContextManager):
:param str command_line:
the command that should be executed and used as the proxy.
"""
+ # NOTE: subprocess import done lazily so platforms without it (e.g.
+ # GAE) can still import us during overall Paramiko load.
+ from subprocess import Popen, PIPE
self.cmd = shlsplit(command_line)
self.process = Popen(self.cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE,
bufsize=0)
diff --git a/paramiko/transport.py b/paramiko/transport.py
index b52d3158..71d5109e 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -229,6 +229,7 @@ class Transport (threading.Thread, ClosingContextManager):
}
_modulus_pack = None
+ _active_check_timeout = 0.1
def __init__(self,
sock,
@@ -316,7 +317,7 @@ class Transport (threading.Thread, ClosingContextManager):
# we set the timeout so we can check self.active periodically to
# see if we should bail. socket.timeout exception is never
# propagated.
- self.sock.settimeout(0.1)
+ self.sock.settimeout(self._active_check_timeout)
except AttributeError:
pass
@@ -1428,20 +1429,18 @@ class Transport (threading.Thread, ClosingContextManager):
def auth_gssapi_keyex(self, username):
"""
- Authenticate to the Server with GSS-API / SSPI if GSS-API Key Exchange
- was the used key exchange method.
+ Authenticate to the server with GSS-API/SSPI if GSS-API kex is in use.
- :param str username: The username to authenticate as
- :param str gss_host: The target host
- :param bool gss_deleg_creds: Delegate credentials or not
- :return: list of auth types permissible for the next stage of
- authentication (normally empty)
- :rtype: list
- :raise BadAuthenticationType: if GSS-API Key Exchange was not performed
- (and no event was passed in)
- :raise AuthenticationException: if the authentication failed (and no
- event was passed in)
- :raise SSHException: if there was a network error
+ :param str username: The username to authenticate as.
+ :returns:
+ a `list` of auth types permissible for the next stage of
+ authentication (normally empty)
+ :raises BadAuthenticationType:
+ if GSS-API Key Exchange was not performed (and no event was passed
+ in)
+ :raises AuthenticationException:
+ if the authentication failed (and no event was passed in)
+ :raises SSHException: if there was a network error
"""
if (not self.active) or (not self.initial_kex_done):
# we should never try to authenticate unless we're on a secure link
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 49ddd848..f739c9fa 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,20 @@
Changelog
=========
+* :bug:`742` (also re: :issue:`559`) Catch ``AssertionError`` thrown by
+ Cryptography when attempting to load bad ECDSA keys, turning it into an
+ ``SSHException``. This moves the behavior in line with other "bad keys"
+ situations, re: Paramiko's main auth loop. Thanks to MengHuan Yu for the
+ patch.
+* :bug:`334` Make the ``subprocess`` import in ``proxy.py`` lazy so users on
+ platforms without it (such as Google App Engine) can import Paramiko
+ successfully. (Relatedly, make it easier to tweak an active socket check
+ timeout [in `Transport <paramko.transport.Transport>`] which was previously
+ hardcoded.) Credit: Shinya Okano.
+* :support:`854 backported` Fix incorrect docstring/param-list for
+ `Transport.auth_gssapi_keyex
+ <paramiko.transport.Transport.auth_gssapi_keyex>` so it matches the real
+ signature. Caught by ``@Score_Under``.
* :bug:`681` Fix a Python3-specific bug re: the handling of read buffers when
using ``ProxyCommand``. Thanks to Paul Kapp for catch & patch.
* :feature:`398` Add an ``environment`` dict argument to `Client.exec_command